A couple of days ago I logged in to a linux VM and the VM said there were 12000 failed login attempts. After each login it kept informing me of failed login attempts so I started to monitor my firewall logs on the host machine (who now also covers the VMs) and I keep finding incoming requests for DNS, telnet, http and ssh.

An example of some requests now:

As you can see, seemingly random hosts keep connecting to my host and/or VMs using various ports.

I began using the server a week ago and all I did was bind my domain to it and some VMs on it. There are however no real services running on it (except some test environments like HTTPD).

I'd like to note the host machine has had ransomware (Dharma) for a brief moment (I completely reinstalled it after a day).

This has been going on for a couple of days and as soon as the server comes online it continues. I assume this is an attack? If so, is there something I can do about it or do I just wait it out?

This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.

This is normal. There are automated scanners constantly mapping and attempting to break into weakly secured or otherwise vulnerable services anywhere they exist on the Internet. It's just background noise.
– XanderDec 10 '16 at 15:59

I have diagnosed your problem. It's called "being on the Internet."
– gowenfawrDec 10 '16 at 16:03

@gowenfawr Haha thanks, doctor! I was just worried about being personally targeted but I guess that is not the case!
– LimnicDec 10 '16 at 16:15

1 Answer
1

There are now millions of machines connected to the internet that are infected and part of one or sometimes several botnets. One of the things some botnets do is to automatically and continuously trawl through discovered IP addresses looking for ports to try and connect to. When they find one, they will attempt to use common ids and passwords to break in and infect the found machine.

You will find that any new server or router connected to the Internet is discovered within around 30 seconds.

You should NEVER leave common ports open directly to the Internet unless you really need them.

Some ports should NEVER be left open full stop. Those include TELNET and FTP. These are unencrypted services and if you use them, you are open to having your logins stolen and any data you transfer recorded.

In general, the only ports you should leave open on their defaults are 80 and 443 for HTTP and HTTPS respectively. Of course, you might need others too but you always need to be aware that any port is a target.

In addition to the unsecured services, I strongly recommend moving the default ports for SSH and RDP as these attract a lot of attention and you really don't want your logs full of connection attempts since this may mask other issues. RDP in particular can be susceptible to attack and there have been some really high-profile attacks using it recently. RDP is the Microsoft remote desktop service.

UPDATE: Accessing SSH via Teamviewer is a little excessive really. Use it but just move it to a different port. You might also look at something like fail2ban which can add some smarts to the firewall by auto-banning IP addresses that persistently try to get in.

Teamviewer has had some serious security failings in the past, I'd recommend doing a search to make sure it is OK at the moment. You would generally only be using RDP on a Windows server & you need an appropriate license for that.

The Reason Code of "Endpoint does not exist" indicates that these ports are closed, not open. I suggest you rewrite the first para of your answer; a lot of what you say is good but leading in with "Oh dear, you have [done something your posted image clearly indicates you didn't]" made my downvote finger twitch.
– gowenfawrDec 10 '16 at 16:06

Hello, thank you for your answer! My firewall is configured to deny all ports by default. Exceptions are made for services on my computer such as Teamviewer. That brings me to my next question, is teamviewer safe enough to keep it on my computer as an alternative to RDP? Also, I configured my SSH to listen on a local network and use Teamviewer VPN to access that network, ever since I don't get ssh logs anymore so I suppose that dealt with that...? Besides that I will take time to properly remove any unnecessary firewall exceptions and I will migrate services to other ports! :)
– LimnicDec 10 '16 at 16:07

@gowenfawr, good point and serves me right for not properly reading the image (I'll make the excuse that my eyesight isn't what it once was! Oh, OK, I know that is feeble). Thanks.
– Julian KnightDec 10 '16 at 16:08

1

@Limnic I suggest you open a separate question about Teamviewer rather than try to wedge it into this one - but first search for questions that already address it, such as Can someone hack through teamviewer?
– gowenfawrDec 10 '16 at 16:10